Hosting applications in Azure usually requires some form of connection to the on-premises networks. You could use Point-to-Site dialup or ExpressRoute, but Site-2-Site VPN’s seems the most use technology, and certainly is cheaper than ExpressRoute connection.

But what if you want to use multiple links for failover? What if your local firewall fails or the internet connection itself? Well, that’s why Azure supports MultiSite VPN’s. While it is capable of having two tunnels from on-premises to Azure with preferences, there is no automatic failover support. That means that if tunnel 1 goes down, tunnel 2 is NOT automatically activated. You need to disable tunnel 1 in Azure itself and only THEN tunnel 2 comes up. Which is annoying, but there is another way to fully automate this.. BGP, Border Gateway Protocol.

BGP is widely used in Internet land.. or to be more precise in the routers that make up the internet itself. Routes towards other regions of the wide network are exchanged between the devices and that is how packets are steered from A to B to C to D to E and back again.

Azure supports BGP (link) and on the same link you can read what it is and why you should/could use it within Azure. While my telecom provider only allows me a single external IP address, BGP still could have its advantages. As you might be aware, Virtual Networks in Azure can be extended with new address spaces and new subnets. By using BGP, these new addresses are automatically added to my VPN to my home. I know, it’s not very vital, but it saves me time in configuring the static routes on my router and as soon as my ISP is willing to give me 2 external IP addresses I will be happy to extend this post with multi-vpn connections using BGP. For now, this post is more about how to implement it with a Juniper SRX.

The setup here is as follows:

As you can see the setup is quite simple. On the left the home or “on-premises” network with 172.16.5.0/24 and on Azure inside a VNet two subnets (one for the Gateway, one for the actual VM’s). A VPN tunnel will be connecting both sides.

(note; I specified Azure-Networks-1 in this case as 172.16.100.0/22, obviously if more address spaces are added these need to be added to the policy rules too..)

This takes care of the VPN on the Juniper side, but not yet the BGP. In order to setup for BGP the following configuration entries need to be made.
set protocols bgp local-address 172.16.5.1
set protocols bgp group azure type external
set protocols bgp group azure multihop ttl 50
set protocols bgp group azure peer-as 65010
set protocols bgp group azure neighbor 172.16.102.30

Now wait for the configuration to be applied and the BGP to be exchanged. If all is well, outside of the configuration editor, you should be able to issue a show bgp neighbor which should output something like: